DevBank and Your Explorer Key

DevBank is an API environment running the full stack of Apiture APIs for the Apiture Developer Portal (Dev Portal).

This sandbox environment exists only for testing purposes—for trying out and learning the Apiture APIs from the Dev Portal or from your own development environment, tools, and test applications. The Get Started page and the Try It feature in the API Reference execute API calls against the DevBank environment.

DevBank is not connected to any real money movement. While you can create accounts via the Account Applications and Accounts APIs, you cannot transfer money into or out of the accounts: they are not real accounts. In addition, no scheduled transfers are processed, and any transaction history is mock data.

The Apiture APIs are deployed in DevBank at https://api.devbank.apiture.com

Authentication and Authorization

When you log on to developer.apiture.com, the Dev Portal coordinates authentication with DevBank, which uses the Dev Portal as the identity server.

The authentication bearer token granted when you log onto the Dev Portal may be used for API calls on DevBank. (See Secure Access for more information about calling Apiture APIs in a secure manner.) The Dev Portal lists your DevBank access token on your My Account page.

The Apiture APIs will create resources owned by your Dev Portal identity, and the APIs will return only the data associated with your Dev Portal identity. All resources in the APIs are guarded by end-user entitlements. For example, each user can see their accounts, but not other peoples’ accounts. (However, co-owners and authorized signers can see their associated accounts.)

Your DevBank Explorer API Key and Access Token

Your My Account page also contains your Explorer Key (once approved) which you can use as an API Key for API calls. Your Explorer Key is associated with the Dev Portal as the client application.

The Dev Portal automatically inserts your Explorer Key and your access token in the Try It blocks in the API reference or tutorials. These are sent to the API calls as the API-Key request header and the Authorization: Bearer <access-token> request header, respectively. The key and token are both are presented as masked data in the Try It blocks. Click the “eye-con” in your My Account page to reveal your Explorer Key and your access token. Copy these values for use outside the Dev Portal, such as in curl commands or in Postman or other API testing tools.

For example, if you reveal your explorer key and access tokens and they have the values 4508485571702fea0e8b and ef0ea4086f04d14d3984c4aefaf7e0aa5c, you can use them in an API via curl:

# Use bash `read' so your key and token are not saved in shell history:
$ read KEY
4508485571702fea0e8b
$ read TOKEN
ef0ea4086f04d14d3984c4aefaf7e0aa5c
$ curl "-HAPI-Key:$KEY" \
       "-HAuthorization: Bearer $TOKEN" \
       https://api.devbank.apiture.com/accounts/accounts

Your Explorer access token expires every 60 minutes, but the Dev Portal refreshes it if you remain active. If you try an API call with your Explorer Key and token and get a 401 Unauthorized or 403 Forbidden HTTP response code, your may have used an expired access token. Return to your My Account page and copy the most recent access token.

You should treat both the Explorer API key and your access token as secret data. Do not share your key or token with others, embed them in source code, etc.

Generating Sample Data

The Dev Portal My Account page also has a button to allow you to generate sample data to create a new savings account owned by your Dev Portal identity, but created with mock data. The data generation may take a few minutes. After generating data, you should see some data with the getAccounts operation in the Accounts API, the getContacts operation in the Contacts API, and more.

Discoverer Key

If you visit the developer without authenticating, the Dev Portal will use a Discoverer API Key and a private access token. These allow visitors to try the APIs without registering or logging in, but have limited permissions. Both of these expire on a regular basis and are presented as masked data in the Try It blocks.